<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="UTF-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Document</title>
  <!-- 了解xss攻击是如何实现的 -->
  <!-- innerHTML在注入html字符串时，可以混入可执行的代码 -->
  <style>
    #box {
      width: 100px;
      height: 100px;
      background-color: pink;
    }
  </style>
</head>

<body>

  <div id="box"></div>

  <script>
    (function fn() {
      setInterval(() => {
        alert(1)
      })

    })()
    document.getElementById('box').innerHTML = '<span >123</span>'
  </script>

</body>

</html>